Migrating from Trivy to Mondoo: A Practical Guide to Strengthening Your Security Posture

The recent supply chain compromise of the Trivy vulnerability scanner has prompted many security teams to reevaluate their tooling. Whether that incident is driving your decision or you're exploring more comprehensive security solutions, this guide walks you through migrating from Trivy to Mondoo, focusing on what you gain and how to make the transition smooth.

Why Teams Are Rethinking Their Scanner Strategy

On March 19, 2026, threat actors injected credential-stealing malware into official releases of Aqua Security's Trivy scanner, the trivy-action GitHub Action, and the setup-trivy GitHub Action. The attack, attributed to a group known as TeamPCP, exploited a misconfiguration in Trivy's GitHub Actions workflows to exfiltrate a privileged access token, then used that access to poison 76 of 77 release tags with a multi-stage credential stealer. The malicious code ran silently before the legitimate scanner, so affected CI/CD workflows appeared to complete normally while secrets were harvested in the background.

The impact has been significant: over 1,000 cloud environments were compromised, all 44 of Aqua Security's internal GitHub repositories were defaced, and the stolen credentials fueled a self-propagating npm worm called CanisterWorm that hit 47+ packages across multiple scopes. Microsoft, CrowdStrike, Palo Alto Networks, and Wiz all published guidance for affected organizations.

This isn't a critique of the Trivy team; supply chain attacks can happen to anyone, and Aqua Security has been working diligently on remediation. But the incident underscores a broader point we've been talking about for a long time: your security toolchain is part of your attack surface, and the tools you trust with your secrets deserve the same scrutiny you apply to everything else.

The Supply Chain Worm Era Is Here

The Trivy compromise didn't happen in isolation. It's the latest chapter in a pattern we've been tracking closely at Mondoo.

In September 2025, the Shai-Hulud attack introduced a new class of threat to the npm ecosystem: a self-propagating worm that weaponized developer identity and the implicit trust baked into modern CI/CD pipelines. It wasn't just another malicious package; it was a prototype of autonomous supply chain malware that could spread without further action by the attacker. We wrote at the time that this was just the beginning.

Then came Glassworm. Between March 3 and March 9, 2026, a coordinated multi-ecosystem attack wave compromised at least 151 GitHub repositories and pushed malicious packages to npm, the VS Code Marketplace, and the Open VSX Registry, four distinct ecosystems in a single campaign. Glassworm didn't modify code in ways human reviewers could see; it hid in the encoding layer beneath the abstraction that modern development tools present to developers. As I wrote then: the era of the software supply chain worm is no longer a forecast, it is here.

And then, just days later, the Trivy compromise further amplified the problem. The stolen credentials from compromised CI/CD pipelines fed directly into CanisterWorm, which evolved into Shai-Hulud v3.0, stealthier, more resilient, and harder to detect than its predecessors.

The through-line is clear: supply chain worms are evolving faster than point scanners can keep up. Defending against them requires a platform that treats supply chain security as a first-class architectural concern, not a feature bolted onto a vulnerability scanner.

What Mondoo Brings to the Table

Mondoo offers proactive vulnerability management, giving security teams confidence that threats are identified and addressed early, which is essential for their peace of mind and trust in the Platform.

Mondoo isn't just a scanner; it's a full-stack managed service built on our two open-source foundations: cnspec for security assertions and MQL (Mondoo Query Language), a purpose-built query language for infrastructure.

Here's what that means in practice:

Unified policy as code across the entire lifecycle. Mondoo is the only unified policy as code solution that works across IaC, plan, state, and runtime. While Trivy primarily focuses on vulnerability scanning and misconfiguration detection at individual stages, Mondoo lets you write a policy check once and apply it as a variant across Terraform HCL, Terraform Plan, Terraform State, and the actual running infrastructure. One language. One policy set. From first commit to runtime, with no gaps between stages where misconfigurations can hide.

Policies are written in intuitive YAML with lightweight MQL scripts, purpose-built for security teams. No need to learn Rego or maintain separate policy sets for different stages of your infrastructure lifecycle.

Deep Terraform coverage at every stage. Mondoo doesn't just scan your .tf files for misconfigurations. It works across the full Terraform lifecycle, including HCL source code, plan files, state files, and the actual runtime infrastructure that those files provision. The real power comes from policy variants: author one logical check that Mondoo automatically evaluates at every stage, so you catch issues where they're cheapest to fix and verify they stay fixed after deployment.

Queryable infrastructure. With MQL, you can explore your infrastructure the way you'd query a database. Want to know which TLS versions your servers are running? Which S3 buckets lack encryption? What IAM policies have overly broad permissions? Ask the question, get the answer. Then codify the answer into a cnspec policy that runs automatically going forward.

400+ resource types across every major platform. AWS, Azure, GCP, Kubernetes, Docker, Linux, macOS, Windows, GitHub, GitLab, Microsoft 365, Slack, Terraform, Ansible, CloudFormation, and more. One tool covers the ground that previously required stitching together multiple scanners.

CIS-certified benchmarks. Mondoo is the first full-stack security vendor to receive CIS SecureSuite certification for GitHub, and ships with CIS benchmarks for all major cloud providers, operating systems, and platforms, ready to use out of the box.

Agentic managed vulnerability service. Beyond scanning and policy enforcement, Mondoo now offers an agentic managed vulnerability service that brings AI agents and security experts together to continuously find, prioritize, and fix vulnerabilities across your entire environment, including cloud, on-premises, SaaS, endpoints, network devices, and the SDLC. All remediation code is pre-tested and human-verified (Ansible, Terraform, Intune, CloudFormation, scripts), with built-in rollback and version control. You set the level of AI autonomy you're comfortable with, and the system handles the rest. Customers are seeing 60% fewer vulnerabilities and mean-time-to-remediation under 16 days, 10x faster than manual remediation.

Migration Guide: From Trivy to cnspec

Migration from Trivy to Mondoo is straightforward, ensuring DevOps teams feel supported and confident during the transition, minimizing disruption and fostering a sense of control.

While the steps below show how straightforward cnspec is to adopt on your own, Mondoo's managed service handles all of this for you, from initial setup and policy configuration to CI/CD integration and ongoing remediation. If you'd rather hand the migration to our team and start seeing results immediately, skip ahead to Getting Started. For teams that prefer a hands-on approach, here's what the process looks like:

Step 1: Install cnspec

Getting started is straightforward. On Linux or macOS:

Bash
bash -c "$(curl -sSL https://install.mondoo.com/sh)"

On Windows (PowerShell):

Powershell
Set-ExecutionPolicy Unrestricted -Scope Process -Force;
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072;
iex ((New-Object System.Net.WebClient).DownloadString('https://install.mondoo.com/ps1'));
Install-Mondoo;

To get centralized reporting and policy management, sign up for a free account at console.mondoo.com and register your CLI:

Bash
cnspec login

Step 2: Map Your Trivy Workflows to cnspec

Here's how common Trivy commands translate:

Terraform misconfiguration scanning:

Bash
# Trivy
trivy config --severity HIGH,CRITICAL ./terraform-infra

# Mondoo
cnspec scan terraform ./terraform-infra

Terraform plan scanning:

Bash
# Trivy
terraform plan --out tfplan.binary
terraform show -json tfplan.binary > tfplan.json
trivy config tfplan.json

# Mondoo
terraform plan --out tfplan.binary
terraform show -json tfplan.binary > tfplan.json
cnspec scan terraform plan tfplan.json

Container image scanning:

Bash
# Trivy
trivy image myapp:latest

# Mondoo
cnspec scan container image myapp:latest

Kubernetes manifest scanning:

Bash
# Trivy
trivy config -f json ./k8s-manifests/

# Mondoo
cnspec scan k8s --path ./k8s-manifests/

Step 3: Update Your CI/CD Pipelines

Replace the aquasecurity/trivy-action GitHub Action with Mondoo's action. Here's a GitHub Actions example:

YAML
# Before (Trivy)
- name: Run Trivy scanner
  uses: aquasecurity/trivy-action@master
  with:
    scan-type: 'config'
    scan-ref: './terraform'
    severity: 'HIGH,CRITICAL'

# After (Mondoo)
- name: Run Mondoo scanner
  uses: mondoohq/actions/scan@main
  with:
    service-account-credentials: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
    scan-type: terraform
    path: ./terraform

Mondoo also integrates natively with GitLab CI/CD, CircleCI, Jenkins, Azure DevOps, and other major CI/CD platforms. For managed service customers, our team configures these integrations for you, including pipeline setup, service account provisioning, and policy tuning, so you can go from onboarding to production scanning without pulling your engineering team off other work.

Step 4: Enable Policies

One of Mondoo's strengths is its curated policy library, the largest out-of-the-box collection available, with built-in remediation guidance and unified exceptions management. From the Mondoo Console, enable the policies that match your needs:

Mondoo Terraform Security — catches misconfigurations in HCL code and plan files
Mondoo AWS/Azure/GCP Security — cloud-specific security checks that include Terraform-aware rules
CIS Benchmarks — industry-standard compliance frameworks for cloud providers, operating systems, and platforms
Mondoo Supply Chain Security — policies for securing your repositories, CI/CD pipelines, and container registries

Policies are written in declarative YAML using MQL, so they're easy to read, customize, and version-control alongside your infrastructure code. Managed service customers get policies selected, configured, and tuned by Mondoo's security team based on your environment, compliance requirements, and risk profile, no guesswork required.

Step 5: Go Beyond Scanning — Query Your Infrastructure

This is where Mondoo starts to pull ahead of what any traditional scanner can offer. With MQL, you get an interactive shell for exploring infrastructure:

Bash
cnspec shell terraform ./terraform-infra

From there, you can ask questions like:

CoffeeScript
# List all security groups that allow unrestricted SSH
terraform.resources.where( type == "aws_security_group" )

# Find S3 buckets without encryption configured
terraform.resources.where( type == "aws_s3_bucket" )

This turns security from a pass/fail gate into an exploratory, data-driven practice, and anything you discover can be codified into a policy that runs automatically going forward.

What You Gain After Migrating

Broader coverage without tool sprawl. Instead of maintaining separate tools for container scanning, IaC analysis, and cloud security posture management, you get a single platform that covers them all, with one policy language that works everywhere.

Continuous security posture management. Mondoo doesn't just scan on demand, it continuously monitors your infrastructure and reports drift from your security baseline. When something changes, you know about it.

Write once, enforce everywhere. Mondoo's policy variant system means a single check can be evaluated against HCL, plan, state, and runtime. No duplicate logic, no gaps between stages.

Compliance on autopilot. Map your security posture directly to compliance frameworks like CIS, SOC 2, HIPAA, PCI DSS, and more, with end-to-end visibility from first commit through runtime and exportable reports for auditors.

A platform built for the supply chain worm era. From CIS-certified GitHub scanning to CI/CD pipeline security to the agentic managed vulnerability service, Mondoo treats supply chain security as a foundational architectural concern. When the next Shai-Hulud, Glassworm, or CanisterWorm emerges, and it will, you want security tooling that was designed with this threat landscape in mind.

Remediation that actually happens. This is where the managed service fundamentally changes the equation. With Trivy, or any scanner, you get a list of findings. With Mondoo's agentic managed vulnerability service, vulnerabilities don't just get flagged, they get fixed. Our team and AI agents deliver pre-tested remediation code (Ansible, Terraform, Intune, CloudFormation, scripts), with human oversight and built-in rollback. Your vulnerability backlog shrinks rather than grows, and your engineering team stays focused on building the product.

Getting Started

You have two paths, depending on how much you want to take on yourself:

Self-serve: Go to github.com/mondoohq/cnspec, install cnspec, run your first scan, and explore the results. The migration steps above will get you from Trivy to Mondoo in an afternoon.

Managed service: Let Mondoo handle the entire migration and ongoing vulnerability management for you. Our team takes care of setup, policy configuration, CI/CD integration, and continuous remediation, backed by AI agents and human security experts working as an extension of your team. You get 60% fewer vulnerabilities, mean-time-to-remediation under 16 days, and your engineering team stays focused on building product instead of chasing CVEs.

Whether you're going hands-on or handing it off, reach out or join the community on GitHub. If you're migrating from Trivy in the wake of the supply chain incident, our team is ready to help with transition planning today.

Your security tools and services partners should make your infrastructure safer, not become another vector you have to defend. Mondoo was built with that principle at its core.